Amazon Inspector

Concepts Covered

• Vulnerability management
• Continuous scanning
• EC2 scanning
• ECR container image scanning
• Lambda function scanning
• CVEs
• Inspector score
• Network exposure findings
• AWS Organizations delegated administration
• Security Hub and EventBridge integration
• SAA-C03 exam traps

1. Plain-English Mental Model

Amazon Inspector is managed vulnerability management for supported AWS workloads.

The simple model is:

EC2, ECR images, Lambda -> Inspector scanning -> vulnerability findings

Inspector asks a different question from GuardDuty. GuardDuty asks, "Does this behavior look suspicious or malicious?" Inspector asks, "Does this workload contain known vulnerabilities or unintended network exposure?"

It is a continuous scanning service. Instead of running a one-time assessment once a quarter, Inspector discovers supported resources and updates findings as packages, images, functions, and vulnerability databases change.

2. Why This Service Exists

Software becomes vulnerable after deployment.

A package version that looked safe last month may receive a new CVE today. A container image might sit in ECR with outdated libraries. A Lambda function may include vulnerable dependencies. An EC2 instance may have packages that need patches. A network path may expose something unexpectedly.

Inspector exists to reduce the manual burden of vulnerability discovery in AWS workloads.

For SAA-C03, Inspector appears in questions about scanning EC2 instances, ECR container images, Lambda functions, package vulnerabilities, CVE findings, risk-based remediation, and central vulnerability management across accounts.

The most important boundary: Inspector finds vulnerabilities. It does not detect active malicious behavior like GuardDuty and does not aggregate all security findings like Security Hub.

3. The Naive Approach And Where It Breaks

The naive pattern is a scheduled manual scan:

run scanner occasionally -> export spreadsheet -> patch someday

This breaks because vulnerability information changes continuously. New CVEs are published. New images are pushed. New instances start. Old images stay deployed. A monthly scan can miss a serious vulnerability for weeks.

Another naive pattern is to treat container image scanning as enough. An application may run on EC2, Lambda, and containers. Vulnerability management needs coverage across the supported runtime surfaces.

Another mistake is relying on Inspector findings without a remediation workflow. A finding is useful only if teams patch, rebuild images, redeploy functions, close exposure, or accept risk deliberately.

Inspector makes discovery easier. It does not remove ownership.

4. Core Primitives

An eligible resource is a supported workload Inspector can scan, such as EC2 instances, ECR container images, and Lambda functions.

A finding is a report describing a vulnerability or unintended network exposure.

A CVE is a publicly known vulnerability identifier.

The Inspector score is a contextual severity score that considers the vulnerability and aspects of the AWS environment.

Continuous scanning means Inspector can rescan when workloads change or when new vulnerability intelligence applies.

Delegated administration through AWS Organizations lets a security account manage Inspector across member accounts.

Findings can be sent to EventBridge and Security Hub.

Suppression rules can hide findings that match defined criteria, but they should be governed.

5. Architecture Use Cases

Use Inspector to scan EC2 instances for operating system and package vulnerabilities.

Use it to scan ECR container images so teams know when base images or application dependencies need rebuilding.

Use it to scan Lambda functions and dependencies where supported.

Use findings to drive patch workflows:

Inspector finding -> Security Hub -> ticket -> patch or rebuild -> redeploy

Use EventBridge for near-real-time routing of high-severity findings.

Use organization-wide delegated administration to avoid per-account vulnerability islands.

Use Inspector alongside Systems Manager Patch Manager for EC2 remediation planning.

7. Security Model

Inspector needs permission to discover and assess supported resources.

For EC2 scanning, Systems Manager Agent and supported configuration often matter. If instances are not eligible or not managed correctly, coverage may be incomplete.

Findings can reveal vulnerable package names, versions, resource names, exposed ports, and application structure. Limit who can view and suppress them.

Delegated administrator access should be controlled carefully.

Do not treat suppression as remediation. Suppression is for noise management, accepted risk, or known exceptions.

Use CloudTrail to audit Inspector API actions.

8. Reliability And Resilience

Inspector improves security resilience by helping teams patch before attackers exploit known issues.

However, it depends on supported resource types, Regional enablement, account enrollment, and workload eligibility.

Container image findings do not fix running containers automatically. Teams need image rebuild and deployment workflows.

EC2 findings do not patch instances automatically. Use patch management, maintenance windows, deployment pipelines, or immutable image replacement.

If findings are routed poorly, critical vulnerabilities can age silently.

9. Performance And Scaling

Inspector is managed and designed for continuous vulnerability assessment.

The scaling challenge is finding ownership. Large environments may produce many findings across thousands of instances, images, and functions.

Use filters, severity, exploitability context, asset criticality, and workload ownership to prioritize.

Avoid treating all medium findings as equal. A network-exposed vulnerability on an internet-facing workload is different from the same CVE on an isolated test instance.

Security Hub and ticketing systems help turn findings into accountable work.

10. Cost Model

Inspector pricing depends on scanned resources and scan types.

EC2, ECR, and Lambda scanning have different cost patterns.

The hidden cost is remediation labor. Vulnerability management requires patching, rebuilding, testing, and redeploying.

The cost of scanning should be weighed against the cost of exploit risk and emergency patching.

Use scope and suppression carefully, but do not disable scanning simply because findings create work.

12. SAA-C03 Exam Signals

"Scan EC2 instances for software vulnerabilities" points to Inspector.

"Scan container images in ECR" points to Inspector.

"Scan Lambda functions for vulnerabilities" points to Inspector.

"CVE findings and risk-based remediation" points to Inspector.

"Suspicious behavior or compromised credentials" points to GuardDuty.

"Aggregate findings from Inspector and other services" points to Security Hub.

"Patch EC2 instances" may point to Systems Manager Patch Manager after Inspector identifies vulnerabilities.

13. Common Exam Traps

Do not confuse Inspector with GuardDuty.

Do not confuse Inspector with Security Hub.

Do not expect Inspector to patch resources automatically.

Do not assume scanning works for unsupported resource types.

Do not forget organization-wide delegated administration for multi-account environments.

Do not suppress findings as a substitute for remediation.

15. Related Topics

Review Amazon EC2, Amazon Elastic Container Registry, AWS Systems Manager, Amazon GuardDuty, and AWS Security Hub.

Official AWS references:

• What is Amazon Inspector?
• Amazon Inspector finding types
• Scanning Amazon EC2 instances with Amazon Inspector